[FFmpeg-devel] [PATCH] h264 bitstream filter

Benoit Fouet benoit.fouet
Mon Sep 3 09:43:15 CEST 2007 

Hi,

Michael Niedermayer wrote:
> Hi
>
> On Fri, Aug 31, 2007 at 12:31:59PM +0200, Benoit Fouet wrote:
>   
>> +    if (!ctx->sps_pps_data) {
>> +        uint16_t unit_size;
>> +        uint32_t total_size = 0;
>> +        uint8_t *out = NULL, unit_nb, sps_done = 0;
>> +        const uint8_t *extradata = avctx->extradata+4;
>> +        static const uint8_t nalu_header[4] = {0, 0, 0, 1};
>> +
>> +        /* retrieve length coded size */
>> +        ctx->length_size = (*extradata++ & 0x03) + 1;
>> +
>> +        /* retrieve sps and pps unit(s) */
>> +        unit_nb = *extradata++ & 0x1f; /* number of sps unit(s) */
>> +        if (!unit_nb) {
>> +            unit_nb = *extradata++; /* number of pps unit(s) */
>> +            sps_done++;
>> +        }
>> +        while (unit_nb--) {
>> +            unit_size = AV_RB16(extradata);
>> +            total_size += unit_size+4;
>> +            if (extradata+2+unit_size > avctx->extradata+avctx->extradata_size) {
>> +                av_free(out);
>> +                return -1;
>> +            }
>> +            out = av_realloc(out, total_size);
>> +            memcpy(out+total_size-unit_size-4, nalu_header, 4);
>>     
>
> out==NULL should be checked as we dont start writing at out but later
> theres a small risk that this could be exploitable
>
>   

ok
btw, how is this memory freed (if it is) ?
as there is no close function, i guess i'll have to alloc / free sps &
pps at each filter call, no ?
if it is so, would it be acceptable to change AVBitStreamFilter
structure to add such a function ?

> except that it looks ok
> [...]
>   

updated patch attached.
i also removed the condition on input buffer size (as it can only lead
to invalead reads), and reduced the extradata size threshold to 6 (which
is the minimum size in case there is neither pps nor pps in it).
i updated return values to use AVERROR(...).

if someone has a better name for this filter, i'd be happy to apply it
too :)

thanks,

-- 
Ben
Purple Labs S.A.
www.purplelabs.com
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: h264_bsf.diff
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-devel/attachments/20070903/392fe701/attachment.txt>

More information about the ffmpeg-devel mailing list